WSO2 3.2.0: Analytics et tableau de bord, impossible d'emprunter le client sur le port SSL 7712 + le champ obligatoire 'message' n'était pas présent
J'ai installé WSO2 3.2.0 récemment:
- Système d'exploitation: Debian 9
- WSO2 API Manager 3.2.0 du référentiel officiel
- WSO2 Analytics 3.2.0 à partir de l'archive zip
- Tout fonctionne sur la même machine avec le même nom de domaine
- Certificat valide pour ce nom de domaine, disons wso2.mydomain.com
J'ai essayé d'installer Analytics en suivant la documentation , mais je pense qu'il y a un problème de communication entre l'analyste et API Manager. Quand j'essaye d'aller sur mon tableau de bord ici , tout ce que j'ai est un écran bleu.
Voici mes avertissements et mes erreurs dans les journaux d'API Manager:
tail -f /usr/lib/wso2/wso2am/3.2.0/repository/logs/wso2carbon.log
WARN {org.wso2.carbon.databridge.agent.endpoint.DataEndpointGroup} - Aucun récepteur n'est joignable à la reconnexion, essaiera de se reconnecter toutes les 30 secondes
ERREUR {org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker} - Erreur lors de la tentative de connexion au point de terminaison. Impossible d'emprunter le client pour ssl: //wso2.mydomain.com: 7712. org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: impossible d'emprunter le client pour ssl: //wso2.mydomain.com: 7712.
Provoqué par: org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: erreur lors de la tentative de connexion au récepteur de données.
Causé par: org.apache.thrift.transport.TTransportException
Voici mes avertissements et mes erreurs dans les journaux Analytics:
tail -f /usr/lib/wso2/wso2an/3.2.0/wso2/worker/logs/carbon.log
ERREUR {org.apache.thrift.server.TThreadPoolServer} - Une erreur d'économie s'est produite lors du traitement du message. org.apache.thrift.protocol.TProtocolException: le champ obligatoire 'message' n'était pas présent! Struct: ThriftAuthenticationException (message: null)
WARN {org.apache.thrift.transport.TIOStreamTransport} - Erreur lors de la fermeture du flux de sortie. java.net.SocketException: la connexion ou le trafic sortant est fermé
tail -f /usr/lib/wso2/wso2an/3.2.0/wso2/dashboard/logs/carbon.log
WARN {org.wso2.msf4j.internal.MSF4JHttpConnectorListener} - Erreur dans l'écouteur du connecteur http: "Le client distant a fermé la connexion avant de lancer la réponse sortante"
Voici ma configuration complète de déploiement d'API Manager à /usr/lib/wso2/wso2am/3.2.0/repository/conf/deployment.toml:
[server]
hostname = "wso2.mydomain.com"
node_ip = "127.0.0.1"
#offset=0
mode = "single" #single or ha
base_path = "${carbon.protocol}://${carbon.host}:${carbon.management.port}" #discard_empty_caches = false server_role = "default" [super_admin] username = "admin" password = "mypassword" create_admin_account = true [user_store] type = "database_unique_id" [database.apim_db] type = "h2" url = "jdbc:h2:./repository/database/WSO2AM_DB;AUTO_SERVER=TRUE;DB_CLOSE_ON_EXIT=FALSE" username = "wso2carbon" password = "wso2carbon" [database.shared_db] type = "h2" url = "jdbc:h2:./repository/database/WSO2SHARED_DB;DB_CLOSE_ON_EXIT=FALSE" username = "wso2carbon" password = "wso2carbon" [keystore.tls] file_name = "wso2carbon.jks" type = "JKS" password = "wso2carbon" alias = "owacustom" key_password = "wso2carbon" [keystore.primary] file_name = "wso2carbon.jks" type = "JKS" password = "wso2carbon" alias = "owacustom" key_password = "wso2carbon" [keystore.internal] file_name = "wso2carbon.jks" type = "JKS" password = "wso2carbon" alias = "owacustom" key_password = "wso2carbon" [[apim.gateway.environment]] name = "Production and Sandbox" type = "hybrid" display_in_api_console = true description = "This is a hybrid gateway that handles both production and sandbox token traffic." show_as_token_endpoint_url = true service_url = "https://wso2.mydomain.com:9443/services/" username= "${admin.username}"
password= "${admin.password}" ws_endpoint = "ws://wso2.mydomain.com:9099" wss_endpoint = "wss://wso2.mydomain.com:8099" http_endpoint = "http://wso2.mydomain.com:${http.nio.port}"
https_endpoint = "https://wso2.mydomain.com:${https.nio.port}" #[apim.cache.gateway_token] #enable = true #expiry_time = "900s" #[apim.cache.resource] #enable = true #expiry_time = "900s" #[apim.cache.km_token] #enable = false #expiry_time = "15m" #[apim.cache.recent_apis] #enable = false #[apim.cache.scopes] #enable = true #[apim.cache.publisher_roles] #enable = true #[apim.cache.jwt_claim] #enable = true #expiry_time = "15m" #[apim.cache.tags] #expiry_time = "2m" [apim.analytics] enable = true store_api_url = "https://wso2.mydomain.com:7444" username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}" #event_publisher_type = "default" #event_publisher_impl = "org.wso2.carbon.apimgt.usage.publisher.APIMgtUsageDataBridgeDataPublisher" #publish_response_size = true #[[apim.analytics.url_group]] #analytics_url =["tcp://wso2.mydomain.com:7611"] #analytics_auth_url =["ssl://wso2.mydomain.com:7711"] #type = "loadbalance" [[apim.analytics.url_group]] analytics_url =["tcp://wso2.mydomain.com:7612"] analytics_auth_url =["ssl://wso2.mydomain.com:7712"] #type = "failover" [apim.key_manager] service_url = "https://wso2.mydomain.com:9443/services/" username = "$ref{super_admin.username}"
password = "$ref{super_admin.password}" #pool.init_idle_capacity = 50 #pool.max_idle = 100 #key_validation_handler_type = "default" #key_validation_handler_type = "custom" #key_validation_handler_impl = "org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler" [apim.idp] server_url = "https://wso2.mydomain.com:9443" authorize_endpoint = "https://wso2.mydomain.com:9443/oauth2/authorize" oidc_logout_endpoint = "https://wso2.mydomain.com:9443/oidc/logout" oidc_check_session_endpoint = "https://wso2.mydomain.com:9443/oidc/checksession" #[apim.jwt] #enable = true #encoding = "base64" # base64,base64url #generator_impl = "org.wso2.carbon.apimgt.keymgt.token.JWTGenerator" #claim_dialect = "http://wso2.org/claims" #convert_dialect = false #header = "X-JWT-Assertion" #signing_algorithm = "SHA256withRSA" #enable_user_claims = true #claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.ExtendedDefaultClaimsRetriever" [apim.oauth_config] #enable_outbound_auth_header = false #auth_header = "Authorization" revoke_endpoint = "https://wso2.mydomain.com:${https.nio.port}/revoke"
#enable_token_encryption = false
#enable_token_hashing = false
[apim.devportal]
url = "https://wso2.mydomain.com:9443/devportal"
#enable_application_sharing = false
#if application_sharing_type, application_sharing_impl both defined priority goes to application_sharing_impl
#application_sharing_type = "default" #changed type, saml, default #todo: check the new config for rest api
#application_sharing_impl = "org.wso2.carbon.apimgt.impl.SAMLGroupIDExtractorImpl"
#display_multiple_versions = false
#display_deprecated_apis = false
#enable_comments = true
#enable_ratings = true
#enable_forum = true
#enable_anonymous_mode=true
[apim.cors]
allow_origins = "*"
allow_methods = ["GET","PUT","POST","DELETE","PATCH","OPTIONS"]
allow_headers = ["authorization","Access-Control-Allow-Origin","Content-Type","SOAPAction","apikey", "testKey"]
allow_credentials = false
[apim.throttling]
#enable_data_publishing = true
#enable_policy_deploy = true
#enable_blacklist_condition = true
#enable_persistence = true
throttle_decision_endpoints = ["tcp://wso2.mydomain.com:5672","tcp://wso2.mydomain.com:5672"]
#[apim.throttling.blacklist_condition]
#start_delay = "5m"
#period = "1h"
#[apim.throttling.jms]
#start_delay = "5m"
#[apim.throttling.event_sync]
#hostName = "0.0.0.0"
#port = 11224
#[apim.throttling.event_management]
#hostName = "0.0.0.0"
#port = 10005
#[[apim.throttling.url_group]]
#traffic_manager_urls = ["tcp://wso2.mydomain.com:9611"]
#traffic_manager_auth_urls = ["ssl://wso2.mydomain.com:9711"]
#type = "loadbalance"
[[apim.throttling.url_group]]
traffic_manager_urls = ["tcp://wso2.mydomain.com.com:9611"]
traffic_manager_auth_urls = ["ssl://wso2.mydomain.com:9711"]
#type = "failover"
[apim.workflow]
#enable = false
service_url = "https://wso2.mydomain.com:9445/bpmn"
#username = "$ref{super_admin.username}" #password = "$ref{super_admin.password}"
callback_endpoint = "https://wso2.mydomain.com:9443/api/am/admin/v0.17/workflows/update-workflow-status"
token_endpoint = "https://wso2.mydomain.com:${https.nio.port}/token" client_registration_endpoint = "https://wso2.mydomain.com:9443/client-registration/v0.17/register" #client_registration_username = "$ref{super_admin.username}"
#client_registration_password = "$ref{super_admin.password}" #data bridge config #[transport.receiver] #type = "binary" #worker_threads = 10 #session_timeout = "30m" #keystore.file_name = "$ref{keystore.tls.file_name}"
#keystore.password = "$ref{keystore.tls.password}" #tcp_port = 9611 #ssl_port = 9711 #ssl_receiver_thread_pool_size = 100 #tcp_receiver_thread_pool_size = 100 #ssl_enabled_protocols = ["TLSv1","TLSv1.1","TLSv1.2"] #ciphers = ["SSL_RSA_WITH_RC4_128_MD5","SSL_RSA_WITH_RC4_128_SHA"] [apim.notification] #from_address = "APIM.com" #username = "APIM" #password = "APIM+123" hostname = "wso2.mydomain.com" #port = 3025 #enable_start_tls = false #enable_authentication = true apim.token.revocation] #notifier_impl = "org.wso2.carbon.apimgt.keymgt.events.TokenRevocationNotifierImpl" #enable_realtime_notifier = true #realtime_notifier.ttl = 5000 #enable_persistent_notifier = true persistent_notifier.hostname = "https://wso2.mydomain.com:2379/v2/keys/jti/" #persistent_notifier.ttl = 5000 #persistent_notifier.username = "root" #persistent_notifier.password = "root" [[event_handler]] name="userPostSelfRegistration" subscriptions=["POST_ADD_USER"] [service_provider] sp_name_regex = "^[\\sa-zA-Z0-9._-]*$"
[database.local]
url = "jdbc:h2:./repository/database/WSO2CARBON_DB;DB_CLOSE_ON_EXIT=FALSE"
[[event_listener]]
id = "token_revocation"
type = "org.wso2.carbon.identity.core.handler.AbstractIdentityHandler"
name = "org.wso2.is.notification.ApimOauthEventInterceptor"
order = 1
[event_listener.properties]
notification_endpoint = "https://wso2.mydomain.com:9443/internal/data/v1/notify"
username = "${admin.username}" password = "${admin.password}"
'header.X-WSO2-KEY-MANAGER' = "default"
# Remove "WSO2 Carbon Server" from server value in header response
[transport.http.properties]
server="wso2.mydomain.com"
# Intermediate compatibility (recommended) ciphers list see https://wiki.mozilla.org/Security/Server_Side_TLS
[transport.https.sslHostConfig.properties]
ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY1305, DHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-GCM-SHA384"
Voici les lignes que j'ai ajoutées au fichier boostrap d'API Manager sur /usr/lib/wso2/wso2am/3.2.0/bin/wso2server.sh:
-Djdk.tls.ephemeralDHKeySize=2048 \
-Djdk.tls.rejectClientInitiatedRenegotiation=true \
Je viens de modifier le mot de passe du super-administrateur dans mon fichier de déploiement de travail à /usr/lib/wso2/wso2an/3.2.0/conf/worker/deployment.yaml:
# Authentication configuration
auth.configs:
type: 'local' # Type of the IdP client used
userManager:
adminRole: admin # Admin role which is granted all permissions
userStore: # User store
users:
-
user:
username: admin
password: bXlwYXNzd29yZA==
roles: 1
roles:
-
role:
id: 1
displayName: admin
# Configuration to enable apim alerts
#analytics.solutions:
# APIM-alerts.enabled: true
Et j'ai remplacé certaines valeurs de l'hôte local par mon nom de domaine + modifié le mot de passe du super-administrateur dans mon fichier de déploiement de tableau de bord à /usr/lib/wso2/wso2an/3.2.0/conf/dashboard/deployment.yaml:
## Authentication configuration
auth.configs:
type: apim
ssoEnabled: true
properties:
adminScope: apim_analytics:admin_carbon.super
allScopes: apim_analytics:admin openid apim:api_view apim:subscribe apim_analytics:monitoring_dashboard:own apim_analytics:monitoring_dashboard:edit apim_analytics:monitoring_dashboard:view apim_analytics:business_analytics:own apim_analytics:business_analytics:edit apim_analytics:business_analytics:view apim_analytics:api_analytics:own apim_analytics:api_analytics:edit apim_analytics:api_analytics:view apim_analytics:application_analytics:own apim_analytics:application_analytics:edit
adminUsername: admin
adminPassword: mypassword
kmDcrUrl: https://wso2.mydomain.com:9443/client-registration/v0.17/register
kmTokenUrlForRedirection: https://wso2.mydomain.com:9443/oauth2
kmTokenUrl: https://wso2.mydomain.com:9443/oauth2
kmUsername: admin
kmPassword: admin
portalAppContext: analytics-dashboard
businessRulesAppContext : business-rules
cacheTimeout: 30
baseUrl: https://wso2.mydomain.com:9643
grantType: authorization_code
publisherUrl: https://wso2.mydomain.com:9443
devPortalUrl: https://wso2.mydomain.com:9443
externalLogoutUrl: https://wso2.mydomain.com:9443/oidc/logout
De plus, mes fichiers client-truststore.jks et wso2carbon.jks sont les mêmes pour les deux produits:
- /usr/lib/wso2/wso2am/3.2.0/repository/resources/security
- /usr/lib/wso2/wso2an/3.2.0/resources/security
Est-ce que je manque quelque chose? Merci d'avance!
Réponses
pouvez-vous vérifier si le chemin wso2am-analytics-3.2.0 / conf / dashboard / deployment.yaml ---> AM_DB -> jdbcUrl a été correctement configuré pour votre gestionnaire d'API wso2 am_db. Peut-être que votre chemin est incorrect et devrait le changer en fonction de votre chemin.